146890 – SELinux policy prevent new list creation from web interface

Bug 146890 - SELinux policy prevent new list creation from web interface

Summary: SELinux policy prevent new list creation from web interface

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mailman
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John Dennis
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	151550 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-02 15:55 UTC by John Dennis
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-14 21:45:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
python stack trace (4.14 KB, text/html) 2005-02-02 16:01 UTC, John Dennis	no flags	Details
avc error message in /var/log/messages (451 bytes, text/plain) 2005-02-02 16:01 UTC, John Dennis	no flags	Details
View All

Description John Dennis 2005-02-02 15:55:06 UTC

The SELinux security policy prevents a new list from being created
using the web interface (note: bin/newlist works). Attached are the
mailman stack trace and the avc error message in /var/log/messages.

Note: this was originally reported by Markus Darges
<darges.de> on the mm-users mailing list.

Comment 1 John Dennis 2005-02-02 16:01:19 UTC

Created attachment 110549 [details]
python stack trace

Comment 2 John Dennis 2005-02-02 16:01:56 UTC

Created attachment 110550 [details]
avc error message in /var/log/messages

Comment 3 John Dennis 2005-02-02 16:04:50 UTC

Note: short term work arounds include:

1) Disable SELinux

2) use command line interface to create lists (e.g. bin/newlist)

Comment 4 John Dennis 2005-02-03 14:33:17 UTC

[From Markus in a private email]

But that was not the only problem between SELinux and mailman. With 
SELinux turned on I couldn't import a list of new members. I got the 
error that no usable temporary file could be found.
And I wasn't able to change the html sites:

Traceback (most recent call last):
  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
    main()
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main
    ChangeHTML(mlist, cgidata, template_name, doc)
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML
    os.mkdir(langdir, 02775)
OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de'

Comment 5 Alberto Barbati 2005-02-08 10:56:08 UTC

About the problem with importing new members ("no usable temporary
directory"), I just filed bug #147466 with a workaround that does not
require SELinux to be disabled.

About this bug, the file policy.conf contains the following policy:

allow mailman_cgi_t mailman_archive_t:dir { read getattr lock search
ioctl add_name remove_name write };

in order to create a list the "create" permission is also necessary
and should be added. However, this does not seem to be enough, as
there is still a problem when Mailman tries to invoke /usr/sbin/postalias:

RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases
(status: 1, Operation not permitted)

audit2allow says that the problem might be fixed by adding the policy:

allow mailman_cgi_t self:unix_dgram_socket create;

however I didn't feel confident to add that, because of my ignorance
about possible repercussions.

Comment 6 John Dennis 2005-02-14 21:45:24 UTC

fixed in latest security policy

Comment 7 Ben Levenson 2005-03-19 17:11:38 UTC

*** Bug 151550 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.